Search This Blog

How I Got My First Bounty.. " A Tale of GMAIL Stored XSS "

This bug i reported a longback and fixed now. Lets jump into the story.

In GMAIL settings general tab, there is an option for creating an automatic mail responder, in case if we go on a vacation and if we dont want to be disturbed. While going through gmail, like all the others, i also ignored that feature and tried here and there.

At the same time one of my goood friend @iampr3m was also testing Gmail and he was trying hard to find something in the same settings page. However that guy begin his testing from the top and testing in the Signature feature. So i started testing the settings page from bottom and i got lucky to have the vacation responder in the bottom of the page.

So, while testing, I observed that the vacation message is going in between a div tag. So as usual, i used a simple payload with img tag ( <img src=a onerror=alert(1)> ) to test my luck. As soon as the payload entered with < and >, the server invalidated the input and stripped of the special chars. So i tried the same payload in URL encoded form ( %3cimg%20src%3da%20onerror%3dalert(1)%3e ) and this time i got lucky. The tag was successfully embedded.

However the payload was not executing properly due to poor rendering of img tag in the response. It took too much time to execute. So i changed my payload to more simple and my default xss payload with style tag (in URL encoded form).

%3Cstyle%20onload%3D%22alert(1)%22%3E%3C%2Fstyle%3E

This time the payload executed successfully and got the popup. The next thing i tried was, to check where the payload got execute. For that i used alert(document.location). and to my surprise the payload got execute within the main domain itself.

Post a Comment

Popular posts from this blog

Almost 2 years back I found a cross site scripting and a Dom based Open Url redirection bugs on a certain web site. Since the issues are still not patched, even after 2 years, I have decided to write a blog on them.

Cross Site Scripting:
As per owasp, "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it."
While testing xxxxx.com, I ended up working on the support page pointing to xxxx.yyyy.com . After playing around the site, I found that it is vulnerable to the reflected cross site scripting on the following url.
http://xxxxx.yyyy.com/cu…

Hello Guys,
Today i would like to share a Cross Site Scripting Vulnerability that was existing in JSON/AJAX callback functionality. I found this vulnerability a few days back, but as the bug is fixed now, i'd like to share the story.
The vulnerability is existing in the forgot password functionality. The forgot password functionality uses an ajax based request/response mechanism within the login page. While testing the application, i observed that the application is using a callback function to render the response into the application.

This callback function name is being passed as a GET parameter. With a little analysis, i found that the callback parameter is vulnerable to Cross Site Scripting vulnerability. So i extracted the forget password request and crafted a GET based URL request with a simple XSS payload as the callback value.
https://www.DUMMY-WEBSITE.com/users/ajaxonforgotpassword.php?callback=<script>alert(document.cookie)</script><!--+

Its been a while since i published my last post. So, here i come with a write up for chaining of multiple issues in Facebook Acquisition - Instagram, that could allowed me to delete entire comments/captions from the Instagram DB.

For the first 2 hours or so, I could not find anything as each request is added with a signature and I am lazy enough not to understand/reverse the signature logic. So as usual, i was about the close my Mac and then, saw a request without signature.

Bingo..something to play around. so i started working on the request, trying to find most common bugs, like sqli,xss, csrf etc.. Then to cross verify a csrf issue, I used my browser. But to my surprise, in later requests in browser app, there is no signature at all, but of-course csrf issue is properly protected. So while testing with both the App and Browser together, I realised that there is an authorisation flaw in the comment deletion action. But it requires certain comment ID values, which are (supposed to be) n…